After BIOS (which do not support what you want), the next step in PXE loading is the PXE boot loader. However, modifying the bootloader requires knowledge of assembly and some low-level system programming, so I wouldn't go there to add password protection functionality.

I think the easiest solution is to modify the scripts running in pre-OS, such as WinPE, and add any custom authentication logic you require. In this instance you would want some logic to check some user-entered credentials and based on some validation either do or do not launch Ghost for imaging. Basically, scripts allow you to customise the pre-OS execution to your liking.

Of course, the downside is that, in case of WinPE, the whole large image has to be downloaded into RAM before password-prompting logic even appears. But it does solve the problem of users "accidentally" imaging their machines.